#!/bin/bash # # Test mode compatibility, check input + kernel and cryptsetup cipher status # [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".." CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup DEV_NAME=dmc_test HEADER_IMG=mode-test.img PASSWORD=3xrododenron PASSWORD1=$PASSWORD KEY="7c0dc5dfd0c9191381d92e6ebb3b29e7f0dba53b0de132ae23f5726727173540" FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" # cipher-chainmode-ivopts:ivmode CIPHERS="aes twofish serpent" MODES="cbc lrw xts" IVMODES="null benbi plain plain64 essiv:sha256" LOOPDEV=$(losetup -f 2>/dev/null) if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then CRYPTSETUP_VALGRIND=$CRYPTSETUP else CRYPTSETUP_VALGRIND=../.libs/cryptsetup CRYPTSETUP_LIB_VALGRIND=../.libs fi dmremove() { # device udevadm settle >/dev/null 2>&1 dmsetup remove --retry $1 >/dev/null 2>&1 } cleanup() { [ -b /dev/mapper/"$DEV_NAME"_tstdev ] && dmremove "$DEV_NAME"_tstdev [ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME losetup -d $LOOPDEV >/dev/null 2>&1 rm -f $HEADER_IMG >/dev/null 2>&1 } fail() { [ -n "$1" ] && echo "$1" echo "FAILED backtrace:" while caller $frame; do ((frame++)); done cleanup exit 100 } skip() { [ -n "$1" ] && echo "$1" exit 77 } function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." [ ! -f valg.sh ] && fail "Unable to get location of valg runner script." if [ -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" fi } function valgrind_run() { INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@" } add_device() { cleanup dd if=/dev/zero of=$HEADER_IMG bs=1M count=6 >/dev/null 2>&1 sync losetup $LOOPDEV $HEADER_IMG >/dev/null 2>&1 dmsetup create $DEV_NAME --table "0 10240 linear $LOOPDEV 8" >/dev/null 2>&1 } dmcrypt_check() # device outstring { X=$(dmsetup table $1 2>/dev/null | sed 's/.*: //' | cut -d' ' -f 4) if [ "$X" = $2 ] ; then echo -n "[table OK]" else echo "[table FAIL]" echo " Expecting $2 got $X." fail fi X=$($CRYPTSETUP status $1 | grep cipher: | sed s/\.\*cipher:\\s*//) if [ $X = $2 ] ; then echo -n "[status OK]" else echo "[status FAIL]" echo " Expecting $2 got \"$X\"." fail fi dmremove $1 } dmcrypt_check_sum() # cipher device { EXPSUM="c036cbb7553a909f8b8877d4461924307f27ecb66cff928eeeafd569c3887e29" # Fill device with zeroes and reopen it dd if=/dev/zero of=/dev/mapper/$2 bs=1M count=6 >/dev/null 2>&1 sync dmremove $2 echo $PASSWORD | $CRYPTSETUP create -h sha256 -c $1 -s 256 $2 /dev/mapper/$DEV_NAME >/dev/null 2>&1 ret=$? VSUM=$(sha256sum /dev/mapper/$2 | cut -d' ' -f 1) if [ $ret -eq 0 -a "$VSUM" = "$EXPSUM" ] ; then echo -n "[OK]" else echo "[FAIL]" echo " Expecting $EXPSUM got $VSUM." fail fi dmremove $2 } dmcrypt() { OUT=$2 [ -z "$OUT" ] && OUT=$1 printf "%-31s" "$1" echo $PASSWORD | $CRYPTSETUP create -h sha256 -c $1 -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME >/dev/null 2>&1 if [ $? -eq 0 ] ; then echo -n -e "PLAIN:" dmcrypt_check "$DEV_NAME"_tstdev $OUT else echo -n "[n/a]" fi echo $PASSWORD | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF2 -c $1 -s 256 /dev/mapper/$DEV_NAME >/dev/null 2>&1 if [ $? -eq 0 ] ; then echo -n -e " LUKS1:" echo $PASSWORD | $CRYPTSETUP luksOpen /dev/mapper/$DEV_NAME "$DEV_NAME"_tstdev >/dev/null 2>&1 || fail dmcrypt_check "$DEV_NAME"_tstdev $OUT fi echo $PASSWORD | $CRYPTSETUP luksFormat --type luks2 --pbkdf pbkdf2 $FAST_PBKDF2 -c $1 -s 256 --offset 8192 /dev/mapper/$DEV_NAME >/dev/null 2>&1 if [ $? -eq 0 ] ; then echo -n -e " LUKS2:" echo $PASSWORD | $CRYPTSETUP luksOpen /dev/mapper/$DEV_NAME "$DEV_NAME"_tstdev >/dev/null 2>&1 || fail dmcrypt_check "$DEV_NAME"_tstdev $OUT fi # repeated device creation must return the same checksum echo $PASSWORD | $CRYPTSETUP create -h sha256 -c $1 -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME >/dev/null 2>&1 if [ $? -eq 0 ] ; then echo -n -e " CHECKSUM:" dmcrypt_check_sum "$1" "$DEV_NAME"_tstdev fi echo } [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped." [ -z "$LOOPDEV" ] && skip "Cannot find free loop device, test skipped." [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped." [ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run add_device # compatibility modes dmcrypt aes aes-cbc-plain dmcrypt aes-plain aes-cbc-plain # empty cipher PASSWORD="" dmcrypt null cipher_null-ecb dmcrypt cipher_null cipher_null-ecb dmcrypt cipher_null-ecb PASSWORD=$PASSWORD1 # codebook doesn't support IV at all for cipher in $CIPHERS ; do dmcrypt "$cipher-ecb" done for cipher in $CIPHERS ; do for mode in $MODES ; do for ivmode in $IVMODES ; do dmcrypt "$cipher-$mode-$ivmode" done done done dmcrypt xchacha12,aes-adiantum-plain64 dmcrypt xchacha20,aes-adiantum-plain64 echo -n "CAPI format:" echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail $CRYPTSETUP close "$DEV_NAME"_tstdev || fail echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail $CRYPTSETUP status "$DEV_NAME"_tstdev 2>/dev/null | grep "type:" | grep -q "n/a" || fail $CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null || fail echo [OK] cleanup